LISTSERV - SCIENTIFIC-LINUX-DEVEL Archives

Hi Akemi,

The fix allows me to run the cow vulnerability but it blocks which is good.

See the following:

DirtyCow root privilege escalation Backing up /usr/bin/passwd to /tmp/bak Size of binary: 27832 Racing, this may take a while.. thread stopped thread stopped

Based on the following bug report

https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c13

, I had compiled a similar module which does the same

1) Download kernel-debuginfo and kernel-debuginfo-common

yum install kernel-debuginfo kernel-debuginfo-common --enablerepo=*

2) Create a file mitigation.stp with the following content:


probe kernel.function("mem_write").call ? {
        $count = 0
}

probe syscall.ptrace {  // includes compat ptrace as well
        $request = 0xfff
}

probe begin {
        printk(0, "CVE-2016-5195 mitigation loaded")
}


probe end {
        printk(0, "CVE-2016-5195 mitigation unloaded")
}


3) Build the module

stap -g -p 4 mitigation.stp

4) module file is placed in the following location 

/root/.systemtap/cache/f4/stap_f4efcb030069a07d7cacae195d59169a_65631.ko

5)
staprun -L stap_f4efcb030069a07d7cacae195d59169a_65631.ko

6) Deploy and run the module on all affected machines.


So my question is, what has been exactly patched to the recently upstream kernel.

Valentin

On 10/25/2016 02:04 AM, Akemi Yagi wrote:

[log in to unmask]" type="cite">

Hi Valentin,

On Mon, Oct 24, 2016 at 1:13 PM, Valentin B <[log in to unmask]> wrote:

Hi Pat,

If this patch / fix was applied to kernel 3.10.0-327.36.3.el7.x86_64
then it seems to me more of a mitigation / blocker instead.

Which "patch / fix" are you referring to? Could you elaborate?

I believe the patch applied to the 7.2 kernel is in principle the same
as what appeared in the upstream kernels at kernel.org. The two
patches are not identical due to rather heavy modifications done to
the RHEL kernel.

The patch applied to 4.7.9-200.fc24.x86_64 on Fedora 24 seems more of a
proper fix.  The cowroot vulnerability doesn't get the chance to be
executed at all.

Best regards,
Valentin

Akemi

-- 

Valentin Bajrami
Kapteyn Astronomical Institute
University of Groningen
Postbus 800
NL-9700 AV Groningen
The Netherlands

Phone:    +31-(0)50-3634068

PGP Fingerprint: 50D7 E233 C2E0 1C81 BB7F F8D8 E51B CF89 A52E 5271